November 13, 2018 | Anomali Labs

The intelligence in this weekís iteration discuss the following threats: APT, Data breaches, DDoS, Lazarus group, Malicious mobile applications, Malicious documents, PortSmash, SMiShing, Spear phishing, Trickbot, and Vulnerabilities. The IOCs related to these stories are attached to the Community Threat Briefing and can be used to check your logs for potential malicious activity.

Trending Threats

Nvidia GPU Side Channel Vulnerability Disclosed (November 11, 2018)
A vulnerability in the Nvidia Graphics Processing Unit (GPU) has been discovered that could allow a threat actor to breach a user's privacy and conduct a side-channel attack. Researchers from the University of California found that the vulnerability, registered as "CVE-2018-6260," could be used by two different applications to spy on the user: OpenGL and CUDA. OpenGL-based spyware could fingerprint websites that the user accesses, track their activity on the site, and estimate keystroke timings for passwords with high accuracy. The CUDA spyware application could derive internal parameters for a neural network model that is being used by another CUDA application and could allow for threats in cloud-based applications. Nvidia is aware of the vulnerability and is currently developing a patch to this flaw.Click here for Anomali recommendation

Adobe ColdFusion Servers Under Attack from APT Group (November 9, 2018)
An unnamed Chinese Advanced Persistent Threat (APT) group is suspected to be behind a recent campaign utilising a vulnerability in Adobe "ColdFusion" to install backdoors, according to researchers at Volexity. The unknown APT group is targeting unpatched ColdFusion servers with the vulnerability, registered as "CVE-2018-15961," that allows for unauthenticated file uploads. The APT group manipulates the new version of the "CKEditor" that allows .jsp files to be uploaded to ColdFusion servers, which is problematic since .jsp files can be natively executed in ColdFusion servers. The APT group was observed scanning for unpatched ColdFusion servers and uploading a .jsp file version of the backdoor "China Chopper" into those vulnerable machines. It is unclear what the unnamed APT group is planning to use the installed backdoors for, but it is suspected that they might be used in the future to host malware, send spear phishing messages, watering hole attacks, or act as a proxy network. Adobe has released a patch for this vulnerability in September 2018.Click here for Anomali recommendation

Inception Hackers Target European Organisations with Old Office Flaw (November 9, 2018)
Security researchers from Palo Alto Networks have found the threat group, "Inception," to be active again, utilising a year-old Microsoft Office vulnerability to target organisations in Europe. The exploit, registered as "CVE-2017-11882 ," allows threat actors to bypass static document analysis by using the "remote templates" feature that permits a document to load a template, even one that is externally hosted on a fileshare or the internet. This threat group uses that exploit to send an initial document that contains no explicit malicious content to ascertain information on the target such as the Microsoft Office version and the machine's IP address. After gathering this information, the threat group can deploy a malicious document with country-specific political lures to the victim that will attempt to retrieve a remote payload via HTTP. The payload sets up a backdoor onto the device to create an entry point for the threat actors, and fingerprints the machine. This information is sent to the threat group's Command and Control (C2) server. Interestingly, the group is able to cover their tracks by cleaning up a majority of forensic evidence left on a device from the dropper they installed, as well as can choose whether to drop a secondary payload or not depending on if the infected device is potentially useful.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment (T1193)

This Banking Malware Just Added Password and Browser History Stealing to its Playbook (November 9, 2018)
The banking malware called "Trickbot" has a new version that has been observed in the wild that steals passwords on top of its current capabilities. This variant was delivered via a malicious Microsoft Excel spreadsheet that requests macros to be enabled before viewing the document's contents. If the macros are enabled, a VBS code will run which begins the process of the malware download. The final payload, the Trickbot malware, is executed by a PowerShell and gains persistence by installing itself into the operating system's Task Scheduler which will run the malware automatically any time the machine is on. The new module to steal passwords is called "pwgrab32" and steals credentials from applications such as Filezilla, Outlook, and WinSCP, as well as steals autofill data, HTTP posts, internet cookies, internet history, passwords. and usernames that are found in web browsers. Trickbot has been observed targeting users in Austria, Australia, Canada, Germany, Ireland, Switzerland, the UK, and the US.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Scripting (T1064)

Malicious InPage Document and Outdated VLC Media Player to Gives Attackers Backdoor Access to Targets (November 8, 2018)
A recent spear phishing campaign directed towards users who utilise InPage, a word processor software for languages like Urdu, Persian, Pashto, and Arabic has been observed by researchers from Microsoft Office 365. This campaign mainly affected people in Pakistan and government institutions were amongst those impacted, as well. The campaign is initiated via a spear phishing email that contains an InPage document that contains an exploit of an arbitrary code execution vulnerability, registered as "CVE-2017-12842." If the attachment is opened, it executes shellcode that decrypts and executes an embedded Dynamic Link Library (DLL) file that contains both a legitimate VLC media player resource and a DLL hijacker file. This will connect to the threat actor's Command and Control (C2) server and download a JPEG file that contains the final payload. The final payload installed into the victim's machine allows for system reconnaissance, the ability to execute commands remotely, and avoid/bypass sandboxes and antivirus software.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment (T1193) | [MITRE ATT&CK] DLL Side-Loading (T1073)

FASTCash: How the Lazarus Group is Emptying Millions from ATMs (November 8, 2018)
The Lazarus group (also known as HIDDEN COBRA) have been observed by Symantec researchers to be conducting recent campaigns against ATM machines to fraudulently take out cash from them, dubbed "FASTCash." The Advanced Persistent Threat (APT) group begins by first injecting a malicious Advanced Interactive eXecutive (AIX) executable into a legitimate process on the server of a financial transaction network that handles ATM transactions. The executable contains instructions to create fake ISO 8583, the standard for financial transaction messaging, messages to be approved for ATM withdrawal transactions. This executable is called "Trojan.Fastcash" and has two primary functions: monitor incoming messages and intercept the fake transaction requests to prevent them from reaching the switch application that processes transactions, as well as contain logic that generates one of three possible fraudulent responses to the fraudulent transaction requests. The trojan reads the Primary Account Number (PAN) of all messages, and if it detects one that is used by the APT group, it will modify the messages to approve it. Banking application servers running unsupported versions of the AIX operating system are the ones being exploited in these attacks.Click here for Anomali recommendation

Metamorfo Banking Trojan Keeps Its Sights on Brazil (November 8, 2018)
Researchers from Cisco Talos observed two banking trojans infecting Brazilian financial institutions from later October until early November 2018. The campaigns to drop the banking trojans utilised the same naming conventions for files and featured link-shortening services to obscure the distribution servers used. The first campaign was initiated via spam that used a zipped file hosted on a free web hosting platform. The unzipped file contained a LNK file which downloaded a PowerShell script which was then utilised to download an archive in Amazon Web Services (AWS) that contained a dynamic link library (DLL) and a compressed payload (.PRX). The .PRX file is then decompressed and executes the final payload, which is also the final payload observed in the second campaign. The second campaign utilised phishing emails containing a .zip file to execute malicious PE32 executables. Running those executables then runs PowerShell script that eventually retrieves and executes the final payload: the banking trojans. Both trojans exfiltrates data gathered from the infected machine obtained via keyloggers and others, intended to steal banking-related information. If the victim logs onto their bank's website, a fake pop-up will appear and request information from the victim like their card details and CVV number. The targeted institutions include: Banco da Amazonia, Banco de Brasilia, Banco do Brasil, Banco do Nordeste, Banestes, Banrisul, Bradesco, Caixa, Citi, Ita˘, Safra, Santander, Sicoob, and Sicredi.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment (T1193) | [MITRE ATT&CK] PowerShell (T1086)

Cambodia's ISPs Hit by Some of the Biggest DDoS Attacks in the Country's History (November 8, 2018)
Several Cambodian Internet Service Providers (ISPs) have been affected by a large-scaled Distributed Denial-of-Service (DDoS). EZECOM, SINET, Telecotech, and Digi all have confirmed that they suffered outages from this attack. The DDoS attack totalled approximately 150Gbps (gigabytes per second) against the ISPs. The attack caused internet access speeds to drop, with downtime lasting at least half a day, and smaller scaled DDoS hitting all week. The beginning and the objective of the attack remains unclear at the time of this writing.Click here for Anomali recommendation

AMEX Blunder Left Thousands of Indian Customers' Personal Info Unsecured (November 7, 2018)
American Express India's MongoDB database was left publicly accessible for over five days in October 2018. The database was available on "Binaryedge," a popular site with exposed databases, since October 20, 2018. Security researcher Bob Diachenko discovered the exposed database on October 25 which means that the information was accessible for at least five days, though it is unclear how long it took for Amex to pull the database down following this discovery. The information exposed included Amex customer names, Aadhaar IDs, addresses, Primary Account (PAN) numbers, and phone numbers. Most of the database (approximately 2.3 million records) was encrypted, however, collections hosted upon "american expressindia.coin" contained hundreds of thousands of records in plain text. Amex took down the database following Diachenko notifying them of the breach. According to Amex, that because of the encryption on the data, no customer data was accessed without authorisation.Click here for Anomali recommendation

Fake Banking App Found on Google Play Used in SMiShing Scheme (November 7, 2018)
A fake banking application was discovered in the official Google Play store, called "Movil Secure," that pretends to be a mobile token service. Researchers from Trend Micro observed the application to be a part of a "SMiShing" campaign that specifically targets Spanish-speaking users. The application pretended to be the mobile banking token service for the multinational bank, Banco Bilbao Vizcaya Argentaria (BBVA). The application functions as spyware, rather than doing what it claims to. If the application is downloaded onto a device, it first gathers identifying information such as the device ID, operating system version, and country code. It will send this data to the Command and Control (C2) server, and hides itself on the user's device concealing the icon for the application. The application also collects text messages and phone numbers, which means the threat actors behind this could potentially compromise users' banking and other accounts because many people often receive multi-factor authentication via text messages and other information related to banking transactions on their phones. This application and three others were all published by the same developers ("Zhivago") on the same day, October 19, 2018 and all function as covert spyware applications.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Trusted Relationship (T1199)

VirtualBox Zero-day Published by Disgruntled Researcher (November 7, 2018)
Russian security researcher, Sergey Zelenyuk, publicly released the discovery of a zero-day vulnerability in VirtualBox that could allow malicious code to escape the virtual machine (VM) and execute on the host operating system. To exploit this flaw in the VirtualBox VM system, a threat actor could use pre-existing privilege escalation bugs to obtain kernel-level access. According to Zelenyuk, the exploit is 100% reliable and either works every time or it never works due to mismatched binaries or some other reason. He states that this vulnerability affects all current releases of VirtualBox, regardless of what the guest or host operating system running, and can still work against the default configuration of newly created VMs. This vulnerability does not affect cloud hosting environments because most utilise Type-1 hypervisors to manage VMs, and VirtualBox is a Type-2 hypervisor.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Exploitation for Privilege Escalation (T1068)

Cryptojacking Attack Forces Canadian University to Shut Down Entire Network (November 6, 2018)
The St. Francis Xavier University in Nova Scotia, Canada has been observed to be the victim of a cryptojacking attack that caused the university to shut down its entire network for almost a full week. The attack began on November 1, 2018, targeting the university's network, and upon detection of the malware, the university pulled its whole network offline. This caused a blackout for the university's online course system, cloud storage, email services, debit transactions, and Wi-Fi capabilities. On November 4, the university made an official statement regarding the attack, stating that there is no indication that personal or sensitive data was compromised and that they are working to identify and patch the security breach. Services will be restored to the University network in staggered stages.Click here for Anomali recommendation

Hackers Breach StatCounter to Hijack Bitcoin Transactions on Gate.io Exchange (November 6, 2018)
ESET malware researcher, Matthieu Foa, discovered unknown threat actors had inserted their own malicious code into the site-tracking script in "StatCounter", one of the largest web analytics platforms. The malicious code would steal any Bitcoin transactions made through the cryptocurrency exchange site, "Gate[.]io." The malicious injection first appeared in StaCounter's site-tracking script on November 3, 2018. The snippet of this code will only run if the page's current URL contains "myaccount/withdraw/BTC*" path. If the code does run after identifying said path, it will discreetly replace any Bitcoin address users enter on the page with one that is controlled by the threat actors in an attempt to steal funds. However, a different address is used for each victim, which makes tracking the Bitcoin wallet of the threat actor's more difficult. Gate[.]io has removed the StatCounter script from their site, but has not released a statement. It is unclear at the time of writing, how many people have been affected by this incident.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Process Injection (T1055) | [MITRE ATT&CK] Drive-by Compromise (T1189)

HSBC Bank Notifies Customers of Data Breach (November 6, 2018)
HSBC bank notified its customers that they had suffered a data breach where Personally Identifiable Information (PII) was accessed by unauthorised users. The bank disclosed that between October 4 and October 14, 2018 threat actors gained illicit access to customers' accounts and were able to obtain their address, date of birth, email address, name, and phone number. Banking account information such as account numbers and transaction history may have also been compromised in this incident. HSBC suspended those accounts' online access and reached out to the customers to help change their credentials. It is unclear how many people are affected by this breach.Click here for Anomali recommendation

Five Guys Notifies Employees of Data Breach (November 5, 2018)
The Five Guys burger chain notified their employees via email that they have suffered a data breach following an employee opening a phishing email that allowed an unknown threat actor unauthorised access to their email account on May 23, 2018. The threat actor(s) was able to obtain employees' 401k contribution information, addresses, dates of birth, hire date, name, Social Security number, and termination date. The number of employees that were affected by this breach has yet to be disclosed by the company. Five Guys stated that they are giving the employees that are affected a paid-for, one-year membership to an identity checker to monitor their credit and personal information.Click here for Anomali recommendationMITRE ATT&CK: [MITRE ATT&CK] Spearphishing Attachment (T1193)

Researchers ëBreak' Edge with Zero-day Remote Code Exploit (November 5, 2018)
A zero-day exploit in Microsoft's Edge browser has been discovered that can allow for a threat actor to run commands on a user's machine. There are two vulnerabilities that researchers Yushi Laing and Alexander Kochov found that allow for this remote code execution. They developed a stable exploit for the Edge browser that force-crashes and reloads the application with altered permissions to allow the threat actor to run functions, access other applications and its data. The exploit uses the Edge browser to open a landing page for Google Chrome.Click here for Anomali recommendation

PortSmash Attack Steals Secrets from Intel Chips on the Side (November 5, 2018)
Researchers from Sophos discovered Proof-of-Concept (PoC) code, dubbed "PortSmash," that utilises a feature in Intel chips to steal secret cryptographic keys. This uses a side channel attack method where one program (attack thread) is able to spy on another program (victim thread) whilst it runs. PortSmash exploits "Simultaneous Multi-Threading" (SMT) that runs two programs separately on a single CPU core, specifically targeting Intel's version of it. The attack thread repeatedly hits a specific port with instructions until the CPU scheduler stops running and gives the port access to the other thread. It then times how long it takes between those instructions running on the port and the other thread processing its own instructions running to derive a program's secrets over time. This PoC steals an OpenSSL private key from a TLS server, though the code has the capability to be reconfigured to steal any sort of information.Click here for Anomali recommendation